rkt and the Trusted Platform Module
rkt supports measuring container state and configuration into the Trusted Platform Module (TPM) event log. Enable this functionality by building rkt with the
--enable-tpm=yes option to
./configure. rkt accesses the TPM via the
tpmd executable available from the go-tspi project. This
tpmd is expected to listen on port 12041.
Events are logged to PCR 15, with event type
0x1000. Each event contains the following data:
- The hash of the container root filesystem
- The hash of the contents of the container manifest data
- The hash of the arguments passed to
This provides a cryptographically verifiable audit log of the containers executed on a node, including the configuration of each.